include/vcl/IDialogRenderable.hxx | 2 +-
vcl/source/window/window.cxx | 22 ++++++++++++++++++++++
2 files changed, 23 insertions(+), 1 deletion(-)
New commits:
commit 9f399fd26fdae602b321296d3f983320385b254d
Author: Miklos Vajna <vmik...@collabora.com>
AuthorDate: Mon Aug 26 09:05:05 2019 +0200
Commit: Miklos Vajna <vmik...@collabora.com>
CommitDate: Mon Aug 26 09:58:29 2019 +0200
vcl lok: fix UB when lok notifier is deleted before its window
During online.git's unit-copy-paste test:
==18827==ERROR: AddressSanitizer: heap-use-after-free on address
0x61c0000c88c0 at pc 0x7fcbf515fcac bp 0x7ffe9be7eef0 sp 0x7ffe9be7eee8
READ of size 8 at 0x61c0000c88c0 thread T0 (loolkit)
#0 0x7fcbf515fcab in vcl::Window::PixelInvalidate(tools::Rectangle
const*) core/vcl/source/window/paint.cxx:1227:20
#1 0x7fcbf515efcb in vcl::Window::LogicInvalidate(tools::Rectangle
const*) core/vcl/source/window/paint.cxx:1207:9
#2 0x7fcbf5f6f9f4 in vcl::Window::queue_resize(StateChangedType)
core/vcl/source/window/window2.cxx:1351:13
#3 0x7fcbf57e3a4f in DockingWindow::queue_resize(StateChangedType)
core/vcl/source/window/dockwin.cxx:1046:18
#4 0x7fcbf5f6ff12 in vcl::(anonymous
namespace)::queue_ungrouped_resize(vcl::Window const*)
core/vcl/source/window/window2.cxx:1301:22
#5 0x7fcbf5f6e390 in vcl::Window::queue_resize(StateChangedType)
core/vcl/source/window/window2.cxx:1320:26
#6 0x7fcbf5f6ff12 in vcl::(anonymous
namespace)::queue_ungrouped_resize(vcl::Window const*)
core/vcl/source/window/window2.cxx:1301:22
#7 0x7fcbf5f6e390 in vcl::Window::queue_resize(StateChangedType)
core/vcl/source/window/window2.cxx:1320:26
#8 0x7fcbf601ebef in vcl::Window::StateChanged(StateChangedType)
core/vcl/source/window/window.cxx:1929:13
#9 0x7fcbf601f761 in vcl::Window::CompatStateChanged(StateChangedType)
core/vcl/source/window/window.cxx:3719:5
#10 0x7fcbf600d9b6 in vcl::Window::Show(bool, ShowFlags)
core/vcl/source/window/window.cxx:2189:9
#11 0x7fcbf50ae584 in vcl::Window::Hide()
core/include/vcl/window.hxx:930:50
#12 0x7fcbf5fceb7a in vcl::Window::dispose()
core/vcl/source/window/window.cxx:399:5
#13 0x7fcbf629f6fb in Control::dispose()
core/vcl/source/control/ctrl.cxx:62:13
#14 0x7fcbf612db90 in Button::dispose()
core/vcl/source/control/button.cxx:108:14
#15 0x7fcbf617736d in RadioButton::dispose()
core/vcl/source/control/button.cxx:2292:13
#16 0x7fcbf6dd52da in VclReferenceBase::disposeOnce()
core/vcl/source/outdev/vclreferencebase.cxx:41:5
#17 0x7fcc1add4fa4 in VclPtr<RadioButton>::disposeAndClear()
core/include/vcl/vclptr.hxx:206:19
#18 0x7fcc1adc4b3e in
sfx2::sidebar::TabBar::SetDecks(std::__debug::vector<sfx2::sidebar::ResourceManager::DeckContextDescriptor,
std::allocator<sfx2::sidebar::ResourceManager::DeckContextDescriptor> >
const&) core/sfx2/source/sidebar/TabBar.cxx:116:27
#19 0x7fcc1abb2ebb in
sfx2::sidebar::SidebarController::UpdateConfigurations()
core/sfx2/source/sidebar/SidebarController.cxx:525:15
#20 0x7fcc1abb0d1e in
sfx2::sidebar::SidebarController::notifyContextChangeEvent(com::sun::star::ui::ContextChangeEventObject
const&) core/sfx2/source/sidebar/SidebarController.cxx:321:9
#21 0x7fcb4688906e in (anonymous
namespace)::ContextChangeEventMultiplexer::BroadcastEventToSingleContainer(com::sun::star::ui::ContextChangeEventObject
const&, com::sun::star::uno::Reference<com::sun::star::uno::XInterface>
const&) core/framework/source/services/ContextChangeEventMultiplexer.cxx:254:23
#22 0x7fcb46883d44 in (anonymous
namespace)::ContextChangeEventMultiplexer::broadcastContextChangeEvent(com::sun::star::ui::ContextChangeEventObject
const&, com::sun::star::uno::Reference<com::sun::star::uno::XInterface>
const&) core/framework/source/services/ContextChangeEventMultiplexer.cxx:237:5
#23 0x7fcc1ac67170 in
sfx2::sidebar::ContextChangeBroadcaster::BroadcastContextChange(com::sun::star::uno::Reference<com::sun::star::frame::XFrame>
const&, rtl::OUString const&, rtl::OUString const&)
core/sfx2/source/sidebar/ContextChangeBroadcaster.cxx:108:23
#24 0x7fcc1ac66021 in
sfx2::sidebar::ContextChangeBroadcaster::Activate(com::sun::star::uno::Reference<com::sun::star::frame::XFrame>
const&) core/sfx2/source/sidebar/ContextChangeBroadcaster.cxx:53:9
#25 0x7fcc19838064 in SfxShell::BroadcastContextForActivation(bool)
core/sfx2/source/control/shell.cxx:713:47
#26 0x7fcc19837b2a in SfxShell::Activate(bool)
core/sfx2/source/control/shell.cxx:361:5
#27 0x7fcc19836442 in SfxShell::DoActivate_Impl(SfxViewFrame*, bool)
core/sfx2/source/control/shell.cxx:314:5
#28 0x7fcc19647b7e in SfxDispatcher::DoActivate_Impl(bool)
core/sfx2/source/control/dispatch.cxx:702:42
#29 0x7fcc1b125692 in SfxViewFrame::DoActivate(bool)
core/sfx2/source/view/viewfrm.cxx:1173:20
#30 0x7fcc18ed323d in SfxApplication::SetViewFrame_Impl(SfxViewFrame*)
core/sfx2/source/appl/app.cxx:311:21
#31 0x7fcc1b1254f7 in SfxViewFrame::SetViewFrame(SfxViewFrame*)
core/sfx2/source/view/viewfrm.cxx:3266:19
#32 0x7fcc1b1412fb in SfxViewFrame::MakeActive_Impl(bool)
core/sfx2/source/view/viewfrm.cxx:1877:9
#33 0x7fcc1b06d6f4 in SfxLokHelper::setView(int)
core/sfx2/source/view/lokhelper.cxx:85:25
freed by thread T0 (loolkit) here:
#0 0x610150 in operator delete(void*) _asan_rtl_:0
#1 0x7fcbb32e2560 in ScTabViewShell::~ScTabViewShell()
core/sc/source/ui/view/tabvwsh4.cxx:1709:1
#2 0x7fcc1b121be5 in SfxViewFrame::ReleaseObjectShell_Impl()
core/sfx2/source/view/viewfrm.cxx:1116:9
#3 0x7fcc1b13caf9 in SfxViewFrame::~SfxViewFrame()
core/sfx2/source/view/viewfrm.cxx:1615:5
#4 0x7fcc1b13e234 in SfxViewFrame::~SfxViewFrame()
core/sfx2/source/view/viewfrm.cxx:1609:1
#5 0x7fcc1b125143 in SfxViewFrame::Close()
core/sfx2/source/view/viewfrm.cxx:1168:5
#6 0x7fcc1afc6a92 in SfxFrame::DoClose_Impl()
core/sfx2/source/view/frame.cxx:159:35
#7 0x7fcc1b0bb60d in SfxBaseController::dispose()
core/sfx2/source/view/sfxbasecontroller.cxx:983:28
#8 0x7fcb469d1e9b in (anonymous
namespace)::XFrameImpl::setComponent(com::sun::star::uno::Reference<com::sun::star::awt::XWindow>
const&, com::sun::star::uno::Reference<com::sun::star::frame::XController>
const&) core/framework/source/services/frame.cxx:1492:33
#9 0x7fcb469dd0c0 in (anonymous namespace)::XFrameImpl::close(unsigned
char) core/framework/source/services/frame.cxx:1699:12
#10 0x7fcc1b185d84 in SfxViewFrame::Exec_Impl(SfxRequest&)
core/sfx2/source/view/viewfrm2.cxx:246:32
#11 0x7fcc1b06c967 in SfxLokHelper::destroyView(int)
core/sfx2/source/view/lokhelper.cxx:59:25
#12 0x7fcc2bf0a551 in doc_destroyView(_LibreOfficeKitDocument*, int)
core/desktop/source/lib/init.cxx:4473:5
#13 0x980e57 in lok::Document::destroyView(int)
core/include/LibreOfficeKit/LibreOfficeKit.hxx:512:9
#14 0x9310e4 in Document::onUnload(ChildSession const&)
online/kit/Kit.cpp:1555:29
#15 0x6175e8 in ChildSession::disconnect()
online/kit/ChildSession.cpp:98:30
#16 0x616c85 in ChildSession::~ChildSession()
online/kit/ChildSession.cpp:85:5
I.e. normally first the vcl::Window is deleted, and only then the view
shell, and the lifecycle handled in vcl::Window::ReleaseLOKNotifier().
But at least with DockingWindow, it can happen that the vcl::Window
outlives its view shell, so we need to decouple the vcl::Window and its
view shell (lok notifier) in both cases, no matter which object is
deleted first.
Change-Id: I49701817827f8b7545d07a1d74514781551db7e9
Reviewed-on: https://gerrit.libreoffice.org/78105
Reviewed-by: Miklos Vajna <vmik...@collabora.com>
Tested-by: Jenkins
diff --git a/include/vcl/IDialogRenderable.hxx
b/include/vcl/IDialogRenderable.hxx
index e5596c5fe88f..86ea333d1100 100644
--- a/include/vcl/IDialogRenderable.hxx
+++ b/include/vcl/IDialogRenderable.hxx
@@ -27,7 +27,7 @@ typedef sal_uInt32 LOKWindowId;
class VCL_DLLPUBLIC ILibreOfficeKitNotifier
{
public:
- virtual ~ILibreOfficeKitNotifier() {}
+ virtual ~ILibreOfficeKitNotifier();
/// Callbacks
virtual void notifyWindow(vcl::LOKWindowId nLOKWindowId,
diff --git a/vcl/source/window/window.cxx b/vcl/source/window/window.cxx
index d20dccb60481..02e10941d61d 100644
--- a/vcl/source/window/window.cxx
+++ b/vcl/source/window/window.cxx
@@ -3217,6 +3217,28 @@ void Window::ReleaseLOKNotifier()
mpWindowImpl->mnLOKWindowId = 0;
}
+ILibreOfficeKitNotifier::~ILibreOfficeKitNotifier()
+{
+ if (!comphelper::LibreOfficeKit::isActive())
+ {
+ return;
+ }
+
+ for (auto it = GetLOKWindowsMap().begin(); it != GetLOKWindowsMap().end();)
+ {
+ WindowImpl* pWindowImpl = it->second->ImplGetWindowImpl();
+ if (pWindowImpl->mpLOKNotifier == this)
+ {
+ pWindowImpl->mpLOKNotifier = nullptr;
+ pWindowImpl->mnLOKWindowId = 0;
+ it = GetLOKWindowsMap().erase(it);
+ continue;
+ }
+
+ ++it;
+ }
+}
+
const vcl::ILibreOfficeKitNotifier* Window::GetLOKNotifier() const
{
return mpWindowImpl->mpLOKNotifier;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
